Appwrite is installed in the subdomain. While the site is working in the main domain, it does not save session to localstorage when I login. But if I run it in a different domain, the problem is solved.
It works when Appwrite and my app are in different domains. If it is on the same domain, it does not save "cookieFallback" to localstorage.
I suggest you to update Appwrite. After the update the problem was fixed, I had the same problem.
The fallback cookie here is used for overcoming cross-site cookie policies. Sessions should work even if the fallback cookie is not present.
Related
I have Google sign in button that opens new window for authorization. Can I get cookies from that frame? If the answer is yes, the next question "how?" :)
Picture below shows my cookies (localhost) and cookies that came from Google auth.
Nope, these cookies are from another domain. For security reasons, you can and never will be able to read cookies that are not from your domain.
Think about the consequences it would have if you could: people logging in on your website through some OAuth service for instance, would basically "lose" all the cookie data to your website's JavaScript context since your website happens to include some iframe/image/script from another domain. It would be able to read all cookie values and copy a login session for instance, which might be stored in it.
We have a register page on DomainA.com, which - after successful registration, show a page with a JavaScript redirect to our application App.DomainB.com/direct-login/{login-token}. This has worked for a long time, until we wanted to use SameSite session cookies. With 'Strict' this won't work at all, so we decided to use 'Lax'.
Sadly 'Lax' also did not work. We found out that a back-end redirect (Location: App.DomainB.com/direct-login/token) did do the trick, but we have some Google Analytic events in the front-end of the DomainA.com response. I am not sure if we could move those GA events to the App.DomainB.com, but we would rather not if at all possible.
Another "trick" we tried was creating a back-end redirect controller in DomainA.com, and when the registration was successful, it would show the javascript redirect, but this time redirect to DomainA.com/redirect/token. Sadly trying to trick the browser had no success.
My question is how we could make the redirect from DomainA.com to the direct login URL from on App.DomainB.com, where App.DomainB.com sets a session cookie with SameSite attribute (e.g. Strict or Lax). Hopefully while keeping the GA events on DomainA.com.
If you guys have more questions, I'm happy to eloborate. Code snippets are possible if required.
TLDR; It seems that setting a samesite cookie when being redirected (via a client-side redirect) from another origin is blocked by most, if not all browsers. Is there any way to set the samesite cookie after being redirected from another origin?
EDIT: It turns out, SameSite=Lax does fix the problem.
I think I didn't test it carefully enough, but it turns out that the first fix, using SameSite=Lax actually does fix the problem. The cross origin redirect is being made and the session cookie is set.
It only fails to set the session cookie when using SameSite=Strict.
I hope this answer will help other people with a similar problem.
I have a website on VueJS and a backend on AWS.
Lets say the website is on www.mywebsite.com, on a hosting server with CPanel and my backend on aws runs under www.mybackend.com
When the user logs in using the website, it makes an axios/fetch call to the backend. The backend will return a set-cookie for the www.mywebsite.com domain.
Although Chrome and FF works fine. Safari does not store the cookie as it is a cross site cookie.
Is there any easy way to make Safari store the cookie and send it to the calls to the backend? Can I mask the backend url with a subdomain from my main domain? Any ideas?
Safari does behave differently from those other browsers. It will only allow cross-origin cookies if they are from the same cookie domain.
So you can get this to work but only if you're in a position to change the URL so that the domains match.
So if you have a website at:
www.mywebsite.com
and the backend at:
backend.mywebsite.com
You can then share the cookie by setting the Domain:
Set-Cookie: my-cookie=value; Domain=mywebsite.com
If the two sites are on totally unrelated domains and you can't change that then I'm not aware of any way to make that work with Safari.
I did a more complete write-up of using cookies with CORS (including the quirks with Safari) at https://cors-errors.info/faq#cdc8
Can someone please help me to find a solution to maintaining the session across subdomains.
The site uses fake subdomains for users, eg. (thisuser.mysite.com/). All the fake subdomains map to the main site (mysite.com) so there's a common database for everything.
The subdomains are used only for a couple of components(com_xxx) on the site. for other components the user is redirected to the main site via htaaccess.
The problem is when a user is redirected to mysite.com from thisuser.mysite.com and vice versa. Their session is not maintained. The user has to login back again.
I have tried updating the cookie domain in php.ini to '.mysite.com' but it doesnt seem to help.
Is it possible that the site may have auto-logins across all subdomains and main domain without any core hacks, assuming the solution lies in making cookies readable from all subdomains, irrespective of from where it's being set?
Thanks all, for your time and suggestions !
I'm not sure how you could do this....
Here is just an idea, it would rely on javascript...
WHen a user logs in using your login form... a hidden iframe would exist and javascript would post your login data to the login page of each domaine for your site. chaining them...
i dont feel its a safe thing tho... maybe im wrong...
u could use joomla's mootool framework to send an ajax requests to each domain...
Otherwise might want to check how joomla creates a session row in the database for each user on the site. maybe you can just create them for each domaine with 1 login. im gona check my mysql....
are you using joomla 1.5 or 2.5 ?
Otherwise i found this document for you:
http://docs.joomla.org/Multiple_Domains_and_Web_Sites_in_a_single_Joomla!_installation
okay, this was easy, I was testing on the local machine and it seems if domain doesnt have the dot, then the cookies are not handled well.
Just ensuring taht cookie domain is set to '.mysite.com' gets the job done
1. It is also recommended that you use the same joomla "secret" configuration value in the different websites as it is used to check the data exchanged between the different domains.
2. taht cookie domain is set to '.mysite.com' gets the job done
For example: Once a user logged in, server side then needs to route the http traffics to a certain tomcat instance because all his/her files(not in DBMS but in local HD) stored on that machine and there will be interactions between the web app and underlying FS. Anyway to do this?
Thanks!
This is often done by redirecting to a server specific URL at or following login. The users session then continues with that URL. I frequently find www replaced with www1, www2, etc, after login on sites I use.